Understanding Threat Triage Rule Configuration

The goal of threat triage is to prioritize the alerts that pose the greatest threat
and need urgent attention. To create a threat triage rule configuration, you must first define
your rules.

Each rule has a predicate to determine whether or not the rule applies. The threat score
from each applied rule is aggregated into a single threat triage score that is used to
prioritize high risk threats.

Following are some examples:

Rule 1

If a threat intelligence enrichment type zeusList is alerted, imagine that you
want to receive an alert score of 5.

Rule 2

If the URL ends with neither .com nor .net, then imagine that you want to
receive an alert score of 10.

Rule 3

For each message, the triage score is the maximum score across all
conditions.

You can use the 'reason' field to generate a message explaining why a rule fired. One
or more rules may fire when triaging a threat. Having detailed, contextual information
about the environment when a rule fired can greatly assist actioning the alert. For
example:

Rule 1

For hostname, the value exceeds threshold of value-threshold, receive an alert
score of 10.